Introduction

The hadoop-azure module provides support for integration with Azure Blob Storage. The built jar file, named hadoop-azure.jar, also declares transitive dependencies on the additional artifacts it requires, notably the Azure Storage SDK for Java.

To make it part of Apache Hadoop’s default classpath, simply make sure that HADOOP_OPTIONAL_TOOLS in hadoop-env.sh has ‘hadoop-azure’ in the list.

Features

Read and write data stored in an Azure Blob Storage account.

Present a hierarchical file system view by implementing the standard Hadoop FileSystem interface.

Supports configuration of multiple Azure Blob Storage accounts.

Supports both block blobs (suitable for most use cases, such as MapReduce) and page blobs (suitable for continuous write use cases, such as an HBase write-ahead log).

Reference file system paths using URLs using the wasb scheme.

Also reference file system paths using URLs with the wasbs scheme for SSL encrypted access.

Can act as a source of data in a MapReduce job, or a sink.

Tested on both Linux and Windows.

Tested at scale.

Limitations

File owner and group are persisted, but the permissions model is not enforced. Authorization occurs at the level of the entire Azure Blob Storage account.

File last access time is not tracked.

Usage

Concepts

The Azure Blob Storage data model presents 3 core concepts:

Storage Account: All access is done through a storage account.

Container: A container is a grouping of multiple blobs. A storage account may have multiple containers. In Hadoop, an entire file system hierarchy is stored in a single container. It is also possible to configure multiple containers, effectively presenting multiple file systems that can be referenced using distinct URLs.

Blob: A file of any type and size. In Hadoop, files are stored in blobs. The internal implementation also uses blobs to persist the file system hierarchy and other metadata.

Configuring Credentials

Usage of Azure Blob Storage requires configuration of credentials. Typically this is set in core-site.xml. The configuration property name is of the form fs.azure.account.key.<account name>.blob.core.windows.net and the value is the access key. The access key is a secret that protects access to your storage account. Do not share the access key (or the core-site.xml file) with an untrusted party.

In many Hadoop clusters, the core-site.xml file is world-readable. It is possible to protect the access key within a credential provider as well. This provides an encrypted file format along with protection with file permissions.

Protecting the Azure Credentials for WASB with Credential Providers

To protect these credentials from prying eyes, it is recommended that you use the credential provider framework to securely store them and access them through configuration. The following describes its use for Azure credentials in WASB FileSystem.

NOTE: You may optionally add the provider path property to the distcp command line instead of added job specific configuration to a generic core-site.xml. The square brackets above illustrate this capability.

Protecting the Azure Credentials for WASB within an Encrypted File

In addition to using the credential provider framework to protect your credentials, it’s also possible to configure it in encrypted form. An additional configuration property specifies an external program to be invoked by Hadoop processes to decrypt the key. The encrypted key value is passed to this external program as a command line argument:

Block Blob with Compaction Support and Configuration

Block blobs are the default kind of blob and are good for most big-data use cases. However, block blobs have strict limit of 50,000 blocks per blob. To prevent reaching the limit WASB, by default, does not upload new block to the service after every hflush() or hsync().

For most of the cases, combining data from multiple write() calls in blocks of 4Mb is a good optimization. But, in others cases, like HBase log files, every call to hflush() or hsync() must upload the data to the service.

Block blobs with compaction upload the data to the cloud service after every hflush()/hsync(). To mitigate the limit of 50000 blocks, hflush()/hsync() runs once compaction process, if number of blocks in the blob is above 32,000.

Block compaction search and replaces a sequence of small blocks with one big block. That means there is associated cost with block compaction: reading small blocks back to the client and writing it again as one big block.

In order to have the files you create be block blobs with block compaction enabled, the client must set the configuration variable fs.azure.block.blob.with.compaction.dir to a comma-separated list of folder names.

Page Blob Support and Configuration

The Azure Blob Storage interface for Hadoop supports two kinds of blobs, block blobs and page blobs. Block blobs are the default kind of blob and are good for most big-data use cases, like input data for Hive, Pig, analytical map-reduce jobs etc. Page blob handling in hadoop-azure was introduced to support HBase log files. Page blobs can be written any number of times, whereas block blobs can only be appended to 50,000 times before you run out of blocks and your writes will fail. That won’t work for HBase logs, so page blob support was introduced to overcome this limitation.

Page blobs can be up to 1TB in size, larger than the maximum 200GB size for block blobs. You should stick to block blobs for most usage, and page blobs are only tested in context of HBase write-ahead logs.

In order to have the files you create be page blobs, you must set the configuration variable fs.azure.page.blob.dir to a comma-separated list of folder names.

The configuration option fs.azure.page.blob.size is the default initial size for a page blob. It must be 128MB or greater, and no more than 1TB, specified as an integer number of bytes.

The configuration option fs.azure.page.blob.extension.size is the page blob extension size. This defines the amount to extend a page blob if it starts to get full. It must be 128MB or greater, specified as an integer number of bytes.

Atomic Folder Rename

Azure storage stores files as a flat key/value store without formal support for folders. The hadoop-azure file system layer simulates folders on top of Azure storage. By default, folder rename in the hadoop-azure file system layer is not atomic. That means that a failure during a folder rename could, for example, leave some folders in the original directory and some in the new one.

HBase depends on atomic folder rename. Hence, a configuration setting was introduced called fs.azure.atomic.rename.dir that allows you to specify a comma-separated list of directories to receive special treatment so that folder rename is made atomic. The default value of this setting is just /hbase. Redo will be applied to finish a folder rename that fails. A file <folderName>-renamePending.json may appear temporarily and is the record of the intention of the rename operation, to allow redo in event of a failure.

It must be noted Append support in Azure Blob Storage interface DIFFERS FROM HDFS SEMANTICS. Append support does not enforce single writer internally but requires applications to guarantee this semantic. It becomes a responsibility of the application either to ensure single-threaded handling for a particular file path, or rely on some external locking mechanism of its own. Failure to do so will result in unexpected behavior.

Multithread Support

Rename and Delete blob operations on directories with large number of files and sub directories currently is very slow as these operations are done one blob at a time serially. These files and sub folders can be deleted or renamed parallel. Following configurations can be used to enable threads to do parallel processing

To enable 10 threads for Delete operation. Set configuration value to 0 or 1 to disable threads. The default behavior is threads disabled.

WASB Secure mode and configuration

WASB can operate in secure mode where the Storage access keys required to communicate with Azure storage does not have to be in the same address space as the process using WASB. In this mode all interactions with Azure storage is performed using SAS uris. There are two sub modes within the Secure mode, one is remote SAS key mode where the SAS keys are generated from a remote process and local mode where SAS keys are generated within WASB. By default the SAS Key mode is expected to run in Romote mode, however for testing purposes the local mode can be enabled to generate SAS keys in the same process as WASB.

To use the remote SAS key generation mode, comma separated external REST services are expected to provided required SAS keys. Following property can used to provide the end point to use for remote SAS Key generation:

Authorization Support in WASB

The current implementation of authorization relies on the presence of an external service that can enforce the authorization. The service is expected to be running on comma separated URLs provided by the following config.

The remote service is expected to provide support for the following REST call: {URL}/CHECK_AUTHORIZATION An example request: {URL}/CHECK_AUTHORIZATION?wasb_absolute_path=<absolute_path>&operation_type=<operation type>&delegation_token=<delegation token>

Delegation token support in WASB

The current implementation of delegation token implementation relies on the presence of an external service instances that can generate and manage delegation tokens. The service is expected to be running on comma separated URLs provided by the following config.

The remote service is expected to provide support for the following REST call: {URL}?op=GETDELEGATIONTOKEN, {URL}?op=RENEWDELEGATIONTOKEN and {URL}?op=CANCELDELEGATIONTOKEN An example request: {URL}?op=GETDELEGATIONTOKEN&renewer=<renewer>{URL}?op=RENEWDELEGATIONTOKEN&token=<delegation token>{URL}?op=CANCELDELEGATIONTOKEN&token=<delegation token>

The service is expected to return a response in JSON format for GETDELEGATIONTOKEN request:

{
"Token" : {
"urlString": URL string of delegation token.
}
}

chown behaviour when authorization is enabled in WASB

When authorization is enabled, only the users listed in the following configuration are allowed to change the owning user of files/folders in WASB. The configuration value takes a comma seperated list of user names who are allowed to perform chown.

Caching of both SAS keys and Authorization responses can be enabled using the following setting: The cache settings are applicable only when fs.azure.authorization is enabled. The cache is maintained at a filesystem object level.

The validity of an authorization cache-entry can be controlled using the following setting: Setting the value to zero disables authorization-caching. If the key is not specified, a default expiry duration of 5m takes effect.

The validity of a SASKey cache-entry can be controlled using the following setting. Setting the value to zero disables SASKey-caching. If the key is not specified, the default expiry duration specified in the sas-key request takes effect.

Use container saskey for access to all blobs within the container. Blob-specific saskeys are not used when this setting is enabled. This setting provides better performance compared to blob-specific saskeys.